This is probably a red herring, but I noticed this in my pihole logs today.. Can't quite figure out how this could happen. It all started tonight right after I upgraded pihole. The meraki.com is my Cisco Meraki wireless router, but that is not it's IP address. Everything is on a 192.168.1.0/24 subnet.
Jan 3 21:38:56 dnsmasq[1395]: query[AAAA] yahoo.com from 6.111.53.76
Jan 3 21:41:29 dnsmasq[3166]: query[AAAA] meraki.com from 6.111.53.76
Jan 3 21:44:02 dnsmasq[4898]: query[AAAA] google.com from 6.111.53.76
Jan 3 21:46:35 dnsmasq[4898]: query[AAAA] yahoo.com from 6.111.53.76
Jan 3 21:49:08 dnsmasq[4898]: query[AAAA] meraki.com from 6.111.53.76
Jan 3 21:51:41 dnsmasq[5685]: query[AAAA] google.com from 6.111.53.76
Jan 3 21:54:14 dnsmasq[8832]: query[AAAA] yahoo.com from 6.111.53.76
Jan 3 21:56:47 dnsmasq[8832]: query[AAAA] meraki.com from 6.111.53.76
Jan 3 21:59:19 dnsmasq[8832]: query[AAAA] google.com from 6.111.53.76
How is that exactly?? So either you have a public IP hitting your pihole from the internet, that it shouldn't be able to do as you stated. Or you have some box on your network using/spoofing to public rfc1918 space. That its owned by the dod really has nothing to do with the problem your asking about.
Or pihole is logging stuff wrong - all of which seem like stuff you should look into the root cause of
But where exactly did you see these? Since it seems DL6ER says they are not in your log??
I did not see them in his debug log. However, the debugger does only upload the queries during the time of running the debugger (maybe only a few seconds, we don't see what was logged before).
Right.. Don't waste anymore time on it.. I'll keep debugging. It's got to be something with dnsmasq logging the wrong IP or something. I'm pretty sure the request is coming from my wireless meraki router, as it is also querying google.com and meraki.com (probably an internet-is-up check).
I may reenable ipv6 later to see if I can get it to show up.. I can't reproduce it on demand from the meraki router
Well, I reenabled ipv6, and rebooted the pihole, and sure enough, the meraki router did it's normal health check and it logged it as the 6.111 address..
Jan 4 10:09:53 dnsmasq[530]: query[AAAA] meraki.com from 6.111.53.76
Jan 4 10:09:53 dnsmasq[530]: forwarded meraki.com to 208.67.220.220
Jan 4 10:09:53 dnsmasq[530]: forwarded meraki.com to 208.67.222.222
Then I ran a tcpdump and caught this
pi@raspberrypi:/var/log $ sudo tcpdump host 6.111.53.76
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlan0, link-type EN10MB (Ethernet), capture size 262144 bytes
10:12:25.907960 IP 6.111.53.76.43848 > raspberrypi.domain: 61213+ AAAA? google.com. (28)
10:12:25.937164 IP raspberrypi.domain > 6.111.53.76.43848: 61213 1/0/0 AAAA 2607:f8b0:4004:808::200e (56)
10:12:25.941215 IP 6.111.53.76 > raspberrypi: ICMP 6.111.53.76 udp port 43848 unreachable, length 92
And
pi@raspberrypi:/var/log $ ping 6.111.53.76
PING 6.111.53.76 (6.111.53.76) 56(84) bytes of data.
64 bytes from 6.111.53.76: icmp_seq=1 ttl=64 time=4.65 ms
64 bytes from 6.111.53.76: icmp_seq=2 ttl=64 time=7.35 ms
So yea.. the Meraki router itself is answering this address
pi@raspberrypi:/var/log $ sudo nmap -v -T4 -A 6.111.53.76
Starting Nmap 6.47 ( http://nmap.org ) at 2017-01-04 10:23 EST
NSE: Loaded 118 scripts for scanning.
NSE: Script Pre-scanning.
Initiating Ping Scan at 10:23
Scanning 6.111.53.76 [4 ports]
Completed Ping Scan at 10:23, 0.25s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:23
Completed Parallel DNS resolution of 1 host. at 10:23, 0.01s elapsed
Initiating SYN Stealth Scan at 10:23
Scanning 6.111.53.76 [1000 ports]
Discovered open port 53/tcp on 6.111.53.76
Discovered open port 80/tcp on 6.111.53.76
Discovered open port 81/tcp on 6.111.53.76
Completed SYN Stealth Scan at 10:23, 30.25s elapsed (1000 total ports)
Initiating Service scan at 10:23
Scanning 3 services on 6.111.53.76
Completed Service scan at 10:25, 76.99s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against 6.111.53.76
Retrying OS detection (try #2) against 6.111.53.76
Initiating Traceroute at 10:25
Completed Traceroute at 10:25, 0.02s elapsed
Initiating Parallel DNS resolution of 1 host. at 10:25
Completed Parallel DNS resolution of 1 host. at 10:25, 0.01s elapsed
NSE: Script scanning 6.111.53.76.
Initiating NSE at 10:25
Completed NSE at 10:25, 30.07s elapsed
Nmap scan report for 6.111.53.76
Host is up (0.0087s latency).
Not shown: 846 filtered ports, 151 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain dnsmasq 2.75
| dns-nsid:
|_ bind.version: dnsmasq-2.75
80/tcp open http lighttpd 1.4.39
|_http-favicon: Unknown favicon MD5: CF27085D23111901C4846512553EB965
|_http-methods: OPTIONS GET HEAD POST
|_http-title: Site doesn't have a title (text/html).
81/tcp open hosts2-ns?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port81-TCP:V=6.47%I=7%D=1/4%Time=586D1385%P=arm-unknown-linux-gnueabihf
SF:%r(GetRequest,10E,"HTTP/1\.1\x20404\x20Not\x20Found\r\nContent-Type:\x2
SF:0text/html\r\nConnection:\x20close\r\nDate:\x20Wed,\x2004\x20Jan\x20201
SF:7\x2015:24:13\x20GMT\r\nContent-Length:\x20142\r\n\r\n<html><head><titl
SF:e>404\x20Not\x20Found</title></head><body><h1>Not\x20Found</h1><p>The\x
SF:20requested\x20URL\x20/\x20was\x20not\x20found\x20on\x20this\x20server\
SF:.</p></body></html>\n")%r(HTTPOptions,EC,"HTTP/1\.1\x20501\x20Not\x20Im
SF:plemented\r\nContent-Type:\x20text/html\r\nConnection:\x20close\r\nDate
SF::\x20Wed,\x2004\x20Jan\x202017\x2015:24:13\x20GMT\r\nContent-Length:\x2
SF:0102\r\n\r\n<HTML><HEAD>\n<TITLE>501\x20Not\x20Implemented</TITLE>\n</H
SF:EAD><BODY>\n<H1>Not\x20Implemented</H1>\n</BODY></HTML>\n")%r(FourOhFou
SF:rRequest,131,"HTTP/1\.1\x20404\x20Not\x20Found\r\nContent-Type:\x20text
SF:/html\r\nConnection:\x20close\r\nDate:\x20Wed,\x2004\x20Jan\x202017\x20
SF:15:24:18\x20GMT\r\nContent-Length:\x20177\r\n\r\n<html><head><title>404
SF:\x20Not\x20Found</title></head><body><h1>Not\x20Found</h1><p>The\x20req
SF:uested\x20URL\x20/nice%20ports%2C/Tri%6Eity\.txt%2ebak\x20was\x20not\x2
SF:0found\x20on\x20this\x20server\.</p></body></html>\n")%r(GenericLines,D
SF:F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/html\r\n
SF:Connection:\x20close\r\nDate:\x20Wed,\x2004\x20Jan\x202017\x2015:24:18\
SF:x20GMT\r\nContent-Length:\x2094\r\n\r\n<HTML><HEAD>\n<TITLE>400\x20Bad\
SF:x20Request</TITLE>\n</HEAD><BODY>\n<H1>Bad\x20Request</H1>\n</BODY></HT
SF:ML>\n")%r(RTSPRequest,DF,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent
SF:-Type:\x20text/html\r\nConnection:\x20close\r\nDate:\x20Wed,\x2004\x20J
SF:an\x202017\x2015:24:18\x20GMT\r\nContent-Length:\x2094\r\n\r\n<HTML><HE
SF:AD>\n<TITLE>400\x20Bad\x20Request</TITLE>\n</HEAD><BODY>\n<H1>Bad\x20Re
SF:quest</H1>\n</BODY></HTML>\n")%r(Help,DF,"HTTP/1\.1\x20400\x20Bad\x20Re
SF:quest\r\nContent-Type:\x20text/html\r\nConnection:\x20close\r\nDate:\x2
SF:0Wed,\x2004\x20Jan\x202017\x2015:24:28\x20GMT\r\nContent-Length:\x2094\
SF:r\n\r\n<HTML><HEAD>\n<TITLE>400\x20Bad\x20Request</TITLE>\n</HEAD><BODY
SF:>\n<H1>Bad\x20Request</H1>\n</BODY></HTML>\n");
Device type: general purpose|broadband router
Running (JUST GUESSING): Linux 2.6.X|3.X (95%)
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
Aggressive OS guesses: Linux 2.6.32 - 3.10 (95%), Linux 3.2 - 3.8 (94%), Linux 2.6.32 (94%), Linux 3.8 (94%), Linux 2.6.32 - 2.6.39 (91%), Linux 3.2 - 3.10 (91%), Linux 3.11 - 3.14 (90%), Linux 2.6.26 - 2.6.35 (89%), 2.6.32 (89%), Linux 3.11 - 3.13 (89%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 6.888 days (since Wed Dec 28 13:06:18 2016)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: All zeros
TRACEROUTE (using port 21/tcp)
HOP RTT ADDRESS
1 16.39 ms 6.111.53.76
NSE: Script Post-scanning.
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 150.41 seconds
Raw packets sent: 2859 (130.764KB) | Rcvd: 275 (13.324KB)
I know this is almost 2 years old at this point but I have 4 Meraki MX devices doing the exact same thing and I'm not sure where to turn. What did Meraki ultimately tell you? I have a case open right now and I'm waiting for a reply. All of the addresses I'm getting are in the 6.15.x.x scope. Still points to Ft. Huachuca though.
